Sign executable within a clickonce application when publishing

Question

I have a c# .net project in Visual Studio 2013. I have successfully signed the manifest told Visual studio to also sign the assembly.

However the application exe file is not being signed. After googling I added the following to the post build event

"C:\Program Files\Microsoft SDKs\Windows\v7.1A\Bin\signtool.exe" sign /f "$(ProjectDir)certificate.pfx" /p mypassword "$(ProjectDir)obj\Debug\myapp.exe"

and also tried

"C:\Program Files\Microsoft SDKs\Windows\v7.1A\Bin\signtool.exe" sign /f "$(ProjectDir)certificate.pfx" /p mypassword "$(ProjectDir)bin\Debug\myapp.exe"

That seems to sign the exe, however now my application won't launch and gives the error:

File, ECG Cloud Holter Assistant.exe, has a different computed hash than specified in manifest.

So I think I need it to sign the exe before it generates the manifest but how do I do that?

If I don't include the post build command, the app runs ok but with an unknown publisher warning.

Answer 1

Try giving this a shot:
1. Right-click on the winforms project and select "Unload Project".
2. Right-click on the project again and select "Edit (yourprojectname).csproj".
3. Go to the bottom of the file and add the following section before the closing "Project" tag:

<Target Name="AfterCompile">
   <Exec Command="C:\Program Files\Microsoft SDKs\Windows\v7.1A\Bin\signtool.exe" sign /f "$(ProjectDir)certificate.pfx" /p mypassword "$(ProjectDir)obj\Debug\myapp.exe" />
</Target>

4. Save the proj file and close it.
5. Right-click on the project again and reload it.

Now if you build your project, you won’t see anything about signing the application executable in the output window. It will only do it if you publish, and there won’t be logging letting you know it signed it. How do you know if it worked? Go to the folder you published to, and look in the Application Files folder. Locate the application executable in the folder for the new version. Right-click on it, choose properties. Look for a tab called “Digital Signatures”. If it’s not found, it’s not signed. If you do see it, go to that tab; it will show the signature list and the signer of the certificate. You can double-click on the signer and then view the signing certificate.

I had a similar issue and was able to figure it out with help from this blog post: https://robindotnet.wordpress.com/2013/02/24/windows-8-and-clickonce-the-definitive-answer-2/